[Date Prev][Date Next][Thread Prev][Thread Next] [Search] [Date Index] [Thread Index]

Re: [MacPerl] Dangerous cgi-script

To: mac-perl@iis.ee.ethz.ch
Subject: Re: [MacPerl] Dangerous cgi-script
From: Matthias Ulrich Neeracher <neeri@iis.ee.ethz.ch>
Date: Thu, 10 Jul 1997 16:43:53 +0200
In-reply-to: Your message of Thu, 10 Jul 1997 16:23:05 +0200.

claes@canit.se (Claes Bjorklund) writes:
>Is this this cgi script dangerous? the idea with the script to let the
>www-user do simple mathematics, but I am affraid they can do some thing
>dangerous, is there any differnts with Unix or Mac?
>
>$math = $FORM{'calc'};
>$res=eval "$math";
>[...]

This script is very dangerous indeed. Think of what happens if some user
decides that "unlink" is a mathematical operator! The solution for this is to
eith use the Safe module (but I have never really tried that on MacPerl) or to
do a sanity check on $math before evaluating it. (Forbidding more than 3
successive alphabetic characters, for instance, allows sin and cos while
forbidding most (all?) dangerous operators).

Matthias

-----
Matthias Neeracher   <neeri@iis.ee.ethz.ch>   http://www.iis.ee.ethz.ch/~neeri
   "I'm set free to find a new illusion" -- Velvet Underground

***** Want to unsubscribe from this list?
***** Send mail with body "unsubscribe" to mac-perl-request@iis.ee.ethz.ch

Follow-Ups:
- Re: [MacPerl] Dangerous cgi-script
  - From: Nicolas Le Clerc <nleclerc@pobox.com>
- Re: [MacPerl] Dangerous cgi-script
  - From: "Todd M.Smith" <todd@nunatak.mbt.washington.edu>

Prev by Date: [MacPerl] DBM (fwd)
Next by Date: Re: [MacPerl] Wong: Web Client Programming with Perl
Prev by thread: Re: [MacPerl] Dangerous cgi-script
Next by thread: Re: [MacPerl] Dangerous cgi-script
Navigation: Date Index | Thread Index | Search | Other lists at bumppo.net